Re: Impossible to IPfilter this?
From: Lupe Christoph (lupe_at_lupe-christoph.de)
Date: Wed, 11 Jun 2003 07:27:05 +0200 To: "Crist J. Clark" <firstname.lastname@example.org>
On Tuesday, 2003-06-10 at 16:07:44 -0700, Crist J. Clark wrote:
> On Sat, Jun 07, 2003 at 01:15:40PM +0200, Lupe Christoph wrote:
> > block in log quick from any to 172.17.0.7
> > It is not attached to any interface, so it should supposedly work even
> > for tunnelled traffic. Only it doesn't.
> Not sure who told you that, but it won't affect tunneled traffic. Not
> specifying an interface just means that it will be applied to all
Sigh. I noticed. It was just a try, nobody told me.
> > PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked.
> > It would be interesting to put the IPSec code in this picture. Are
> > IPSec packets going through *any* of them? With/out GIF?
> Here's what happens (approximately), the packets get fed to the
> ip_input() routine. They pass through IPFilter then IPFW. Later they
> find themselves in IPsec processing where the packets are taken out of
> the tunnel. At this point, the packets are fed back into ip_input(),
> BUT the reinjected packets skip all firewall processing on this
> pass. With the IPSEC_FILTERGIF option set, the packets _will_ go
> through the firewall, IPFilter then IPFW, after IPsec processing.
... even if they are not passing through a GIF interface? My LINT says
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
# to be processed by any configured packet filtering (ipfw, ipf).
And I could not get GIF to work with FreeS/WAN.
> However, there may be an ugly hack to try here. I think I might try it
> on one of my experimental setups at home. It may be possible to set up
> some additional IPsec policies to block the traffic you want to stop.
That could be very interesting.
-- | email@example.com | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "email@example.com"